Apply fixes for deploy checklist.

Fixes #19
mblayman · Aug 17, 2023 · 9d8e8c1 · 9d8e8c1
1 parent 72a49e8
commit 9d8e8c1
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 8 deletions.
diff --git a/.env.example b/.env.example
@@ -1,10 +1,14 @@
 ACCOUNT_DEFAULT_HTTP_PROTOCOL=http
 ALLOWED_HOSTS=*
+CSRF_COOKIE_SECURE=off
 DEBUG=on
 EMAIL_BACKEND=django.core.mail.backends.console.EmailBackend
 EMAIL_SENDGRID_REPLY_TO=[email protected]
 PYTHONUNBUFFERED=1
 SECRET_KEY="django-insecure-l@1xnj747ei)9ex(0zkfyy6zv@&*=i$wi9722=ji7)+s^_kuvy"
+SECURE_HSTS_SECONDS=0
+SECURE_SSL_REDIRECT=off
 SENDGRID_API_KEY=fake_apikey
 SENTRY_ENABLED=off
 SENTRY_DSN=dsn_example
+SESSION_COOKIE_SECURE=off
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -42,8 +42,8 @@ jobs:
       - name: Test it
         run: make coverage
 
-      # - name: Check deploy configuration
-      #   run: ./manage.py check --deploy --fail-level WARNING
-      #   env:
-      #     DATABASE_URL: 'sqlite://:memory:'
-      #     SECRET_KEY: 'zt(6jlr#oquxm2t%ryh#n+-72p^(3knbf&q$5x16#o%1im-s7!'
+      - name: Check deploy configuration
+        run: ./manage.py check --deploy --fail-level WARNING
+        env:
+          # DATABASE_URL: 'sqlite://:memory:'
+          SECRET_KEY: 'zt(6jlr#oquxm2t%ryh#n+-72p^(3knbf&q$5x16#o%1im-s7!'
diff --git a/project/settings.py b/project/settings.py
@@ -8,9 +8,13 @@
 env = environ.Env(
     ACCOUNT_DEFAULT_HTTP_PROTOCOL=(str, "https"),
     ALLOWED_HOSTS=(list, []),
+    CSRF_COOKIE_SECURE=(bool, True),
     DEBUG=(bool, False),
     EMAIL_BACKEND=(str, "anymail.backends.sendgrid.EmailBackend"),
+    SECURE_HSTS_SECONDS=(int, 60 * 60 * 24 * 365),
+    SECURE_SSL_REDIRECT=(bool, True),
     SENTRY_ENABLED=(bool, True),
+    SESSION_COOKIE_SECURE=(bool, True),
 )
 environ.Env.read_env(BASE_DIR / ".env")
 
@@ -132,13 +136,17 @@
 # https://docs.djangoproject.com/en/4.2/topics/i18n/
 
 LANGUAGE_CODE = "en-us"
-
 TIME_ZONE = "UTC"
-
 USE_I18N = True
-
 USE_TZ = True
 
+# Security
+CSRF_COOKIE_SECURE = env("CSRF_COOKIE_SECURE")
+SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+SECURE_HSTS_PRELOAD = True
+SECURE_HSTS_SECONDS = env("SECURE_HSTS_SECONDS")
+SECURE_SSL_REDIRECT = env("SECURE_SSL_REDIRECT")
+SESSION_COOKIE_SECURE = env("SESSION_COOKIE_SECURE")
 
 # Static files (CSS, JavaScript, Images)
 # https://docs.djangoproject.com/en/4.2/howto/static-files/